The impact of GDPR on our practice

We just recently passed the six-month mark since the introduction of new data protection regulation (GDPR). To find out how one practice has managed these changes, Josie Hutchings, Regional Support Manager at Practice Plan, spoke to Zoe Sharp, Practice Manager at Alexandra Dental Care…

GDPR is an acronym we’ve all become pretty familiar with since the start of 2018, both as a customer of other companies and also in our own professions. It’s hard to think of an industry that hasn’t been touched by the regulation which required many to implement new ways, or adapt old ones, of storing and processing data.

Of course, given the patient data that dental practices have access to, and potentially need to share, e.g. for referrals, they were far from immune from the reach of GDPR. As we approach the six-month milestone since the regulation came into force, I spoke to Zoe Sharp, to see how they have dealt with the changes and the effect on their practice.

Josie Hutchings (JH): GDPR has been in place for a little while now, but before it came into force, did you realise how significant it was going to be for dentistry?

Zoe Sharp (ZS): It first came to my attention around Christmas 2017, I started to receive emails about it and began discussing it with friends who are also practice managers. I knew straight away it wasn’t going to be something that you could ignore and it was going to impact the way we work as a profession.

Then you invited us to attend a course back in February called ‘Getting to Grips with GDPR’ with Pat Langley from Apolline, which was right on my doorstep. So, of course, I signed up straight away! It was brilliant that the course was so early on in the year because it gave us plenty of time to digest the information and prepare for the implementation in May. I found the course really worthwhile, but information about the regulation was evolving and coming to light all the time, so I went on it again in April to consolidate everything I’d learned the first time.

JH: It’s great that you feel the course helped you! How else did you prepare for the implementation of GDPR on 25th May?

ZS: We have forms, that we were given on the course and which we could download from an online portal provided by Practice Plan. This enabled us to do an inventory of all the personal data we have for patients and staff. This helped us to look at the security of that data, carry out a risk assessment and risk management process, and examine our legal basis for processing that data to make sure we are compliant. We’re still using those forms now.

We’ve also put up privacy notices in the waiting room and online, which Practice Plan provided the guidance for. This gave us a great starting point and just made it that bit easier to manage the process of being GDPR compliant.

I didn’t have an NHS.net email address so I have now encrypted my emails, so I know that I can send patient information, such as when we’re referring someone to another practice, totally securely.

GDPR is a real learning curve so we’re constantly refining and enhancing the way we do things, and I think a lot of other practices will be in the same boat. For example, we recently installed new confidential paper bins around the practice for any documents that contain patients information, which then gets shredded by another company who provide a certificate to say it’s been disposed of securely. We also discuss GDPR at every monthly practice meeting to discuss new ideas or ways of doing things as they arise, etc.

JH: I know you had some concerns over how GDPR might affect your marketing, particularly in terms of sharing patient testimonials on social media. Did you need to make any changes in this area to be compliant?

ZS: We were showing full facial photos with the patient’s name on Facebook as a way of showcasing the kind of treatments we carry out and highlighting positive patient experiences. We initially stopped doing these completely whilst we learned more about GDPR. Now, we show photos but not the full face, and we use the name but in a way the patient is comfortable with, so it may be partially anonymised, such as first initial and surname.

We also ask all our patients when they visit the practice for appointments whether they are happy to continue receiving emails, letters or texts from us about appointment reminders and promotions, etc.

JH: How did the regulation impact the way you store patient records?

ZS: We spent a few months over summer going through and tidying up all our paper records – disposing of the ones we could and locking away the ones we were keeping in a room that can only be accessed via a pin-pad code. The records are backed up every day as well.

JH: How did you approach communicating the changes to your patients?

ZS: Like a lot of companies, we sent an email to let them know about the new policy notice on the website with a link for them to view it. As patients attend the practice we have talked to them about GDPR (and will continue to), particularly in relation to the methods they are happy to receive communications from us and whether they’re happy to continue receiving our e-newsletters. We haven’t had any bad reactions from patients, I think they were well aware of GDPR anyway as so many companies were talking about it and they know it is in the interest of safeguarding their information.

JH: What are your thoughts now on the impact that GDPR has had?

ZS: It did have a big impact on how we manage our data, and affect the way we work day-to-day, but it really helped to have a lot of support from people like yourself who we could turn to for guidance. Although ensuring we’re GDPR compliant did add to our workload, and create another level of administration, I think the positive side to it was that it made us think more about how we communicate with patients, the content of our communications and the safety of patients‘ information – which can only be a good thing. The key is not to be frightened of GDPR, but to embrace it.

JH: That’s great, it sounds like a really positive approach! Thanks for sharing your story, which I’m sure has resonated with many other practices.